Concern actors of unknown origin have been attributed to a harmful promotion mostly targeting organizations in Japan since January 2025.
” The attacker has exploited the vulnerability , a remote code execution (RCE ) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines”, Cisco Talos researcher Chetan Raghuprasad in a technical report published Thursday.
” The intruder utilizes addons of the publicly available Cobalt Strike system’ TaoWu ‘ for-post abuse activities”.
Goals of the destructive action contain companies across tech, telecommunications, entertainment, education, and e-commerce sectors in Japan.
It all starts with the threat actors exploiting the CVE-2024-4577 vulnerability to gain preliminary access and run PowerShell scripts to do the Cobalt Strike reverse HTTP shellcode payload to give themselves frequent remote access to the affected endpoint.
The next step entails carrying out surveillance, luxury increase, and lateral action using tools like JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt. More resilience is established via Windows Registry changes, scheduled things, and bespoke services using the plugins of the Cobalt Strike system called TaoWu.
” To maintain secrecy, they erase event reports using wevtutil orders, removing traces of their actions from the Windows security, structure, and software reports”, Raghuprasad noted. ” Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine”.
The attacks culminate with the hacking crew stealing passwords and NTLM hashes from the infected hosts. Further analysis of the command-and-control ( C2 ) servers associated with the Cobalt Strike tool has revealed that the threat actor left the directory listings accessible over the internet, thereby exposing the full suite of adversarial tools and frameworks hosted on the Alibaba cloud servers.
Notable among the tools are listed below-
- Browser Exploitation Framework ( BeEF), a publicly available pentesting software for executing commands within the browser context
- Viper C2, a modular C2 framework that facilitates remote command execution and generation of Meterpreter reverse shell payloads
- Blue-Lotus, a JavaScript webshell cross-site scripting ( XSS) attack framework that enables the creation of JavaScript web shell payloads to conduct XSS attacks, capture screenshots, obtain reverse shell, steal browser cookies, and create new accounts in the Content Management System ( CMS )
” We assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks”, Raghuprasad said.